IPSEC FOR LARGE SCALE DEPLOYMENTS
DevConf, Brno, January 2020
Presented by Paul Wouters, VPN Technologies THE LIBRESWAN PROJECT An Internet Key Exchange (“IKE”) daemon for IPsec
• Continuation of openswan, which itself was a fork of freeswan • Uses the NSS library for all its crypto • Certified (FIPS, Common Criteria, USGv6, etc.) • Supports X.509 and DNSSEC as PKI • Supports raw public keys and PSK • Supports IKEv1 and IKEv2
2 IPsec for large scale deployments IPsec PRIMER IKE + IPsec = VPN
IKE (USERLAND) IPsec (KERNEL) ISAKMP, IKE SA, PHASE 1 IPsec SA, CHILD SA, PHASE 2 UDP PORT 500 AND 4500 PROTOCOL 50 (ESP) AND 51 (AH)
• Command Channel • Data Channel • Peer authentication • Encapsulated Security Payload • Connection parameter negotiation (ESP) IP packet encryption • IPsec symmetric key generation • Authenticated Header (AH) • Communicates to kernel • ESPinUDP (for NAT)
• IKE itself is encrypted • Tunnel Mode (IP in IP) • IKE does not encrypt the IP traffic • Transport Mode
3 IPsec for large scale deployments LINUX IPsec IMPLEMENTATION (XFRM) 1. IPsec in the kernel has policies (SPD) and states (SAD) Visible via: ip xfrm policy, ip xfrm state Communication between userland and kernel visible via: ip xfrm monitor • Packets matching policies with a linked state causes encryption/decryption • Unencrypted packets matching an encryption policy without state are dropped • First outgoing plaintext packet matching IPsec policy without IPsec state triggers an ACQUIRE 2. Userland inserts “trap” policies for on-demand tunnels 3. Userland requests to receive ACQUIREs and processes these when received • Perform IKE negotiation with remote peer • Send IPsec policy and encryption/authentication keys to the kernel 4. Kernel processes netlink messages • Install received crypto keys in state, link crypto state to policy • If TCP was stored, send out cached TCP packet
4 IPsec for large scale deployments LINUX IPsec IMPLEMENTATION (XFRM) Mobile IKE: Support for mobile clients that change IP address 1. Libreswan receives an IKE message from a new IP address 2. Matches the encrypted IKE packet via SPI’s to an existing peer 3. Decrypts and confirms this IKE packet is a new packet (via sequence number) 4. Send XFRM_MIGRATE message to kernel 5. Kernel updates endpoint IP of the XFRM state 6. Libreswan confirms via a reply IKE message using the new destination IP address
5 IPsec for large scale deployments LINUX XFRM / NETKEY KERNEL STATE srcsrc 10.3.230.191/3210.3.230.191/32 dstdst 0.0.0.0/00.0.0.0/0 dirdir outout prioritypriority 666666 ptypeptype mainmain tmpltmpl srcsrc 76.10.157.6876.10.157.68 dstdst 209.132.183.55209.132.183.55 protoproto espesp reqidreqid 1641316413 modemode tunneltunnel srcsrc 0.0.0.0/00.0.0.0/0 dstdst 10.3.230.191/3210.3.230.191/32 dirdir fwdfwd prioritypriority 666666 ptypeptype mainmain tmpltmpl srcsrc 209.132.183.55209.132.183.55 dstdst 76.10.157.6876.10.157.68 protoproto espesp reqidreqid 1641316413 modemode tunneltunnel srcsrc 0.0.0.0/00.0.0.0/0 dstdst 10.3.230.191/3210.3.230.191/32 dirdir inin prioritypriority 666666 ptypeptype mainmain tmpltmpl srcsrc 209.132.183.55209.132.183.55 dstdst 76.10.157.6876.10.157.68 protoproto espesp reqidreqid 1641316413 modemode tunneltunnel
srcsrc 209.132.183.55209.132.183.55 dstdst 76.10.157.6876.10.157.68 protoproto espesp spispi 0x605ad2be0x605ad2be reqidreqid 1641316413 modemode tunneltunnel auth-truncauth-trunc hmac(sha1)hmac(sha1) 0x4b7e46cdee9c27588a1a75f6846073cea0x4b7e46cdee9c27588a1a75f6846073cea 9696 encenc cbc(aes)cbc(aes) 0x11ddc9080945111087e81f9ebda5aacb7612c78af18950x11ddc9080945111087e81f9ebda5aacb7612c78af1895 srcsrc 76.10.157.6876.10.157.68 dstdst 209.132.183.55209.132.183.55 protoproto espesp spispi 0x8ca00de30x8ca00de3 reqidreqid 1641316413 modemode tunneltunnel auth-truncauth-trunc hmac(sha1)hmac(sha1) 0x1119585d334a88e023134a100eca6b09f0x1119585d334a88e023134a100eca6b09f 9696 encenc cbc(aes)cbc(aes) 0x310b852b9cbaf2cace7979c1aeb5df4b32eb418c5c3000x310b852b9cbaf2cace7979c1aeb5df4b32eb418c5c300
6 IPsec for large scale deployments
2019: Libreswan
• RFC 8229 “TCP Encapsulation of IKE and IPsec packets” support [*] • Proof of concept for per-cpu IPsec SA support (pCPU XFRM) • XFRMi virtual interface support to replace VTI virtual interfaces • libvirt/KVM based testing complimented with namespace based testing Much faster, takes less resources, can run tests in parallel • NSS: Use the new “IPsec profile” X.509 validation (RFC 4945) • Dramatically improve IKE performance by offloading more code to threads • NSS: Cache decrypted private keys (Bob’s performance trick) • RFC 5685 IKEv2 REDIRECT support for dynamic load balancing • CVE-2019-12312 (crasher) and CVE-2019-10155 (sig validation failure) • Improvements for Enterprise-wise (mesh) encryption
8 IPsec for large scale deployments XFRMi virtual interface
• Specify: ipsec-device=
• Older VTI (ip_vti0) implementation had limitations: Each IPsec SA needed its own VTI interface and could only be ipv4 or ipv6 There could only be one wildcard interface (max 1 dynamic IP remote client) VTI Only supported Tunnel Mode, not Transport Mode Used GRE keys and MARKs
9 IPsec for large scale deployments TCP support for Remote Access VPN
• IPsec (ESP) is usually encapsulated in UDP to traverse NATs • IKE protocol uses UDP • Some networks block IPsec (or all UDP except DNS)
• RFC 8229: TCP encapsulation of IKE and ESP Port number not defined (evasive actions) “IKETCP” prefix to support demultiplexing (aka IPsec-in-TLS support)
• New per connection options: tcp-listen=
10 IPsec for large scale deployments Per-CPU support for high speed IPsec SAs
• Proof of Concept for per-cpu IPsec SA support (pCPU XFRM) • Currently, 1 IPsec SA can only use 1 CPU (about 1-5 gbps) • With pCPU, create
11 IPsec for large scale deployments Libreswan testing
• KVM/libvirt testing - 700+ tests • libreswan.org/wiki/Test_Suite_-_KVM • Took between 4 and 8 hours to run – reduced to 2-3 hours • Would regularly hang KVM instances • Tests cannot run in parallel
• Introduced namespaces based testing • libreswan.org/wiki/Test_Suite_-_Namespace • Re-uses KVM/libvirt tests, so most of the 700+ tests are functional • Tests can be started in parallel (but sadly not too many still)
12 IPsec for large scale deployments TESTING.LIBRESWAN.ORG
13 IPsec for large scale deployments IPsec deployment types
• Host to host VPN • Site to site VPN • Remote Access VPN • Enterprise wide encryption (mesh encryption) • Internet wide Opportunistic Encryption (try IPsec, fallback to clear)
14 IPsec for large scale deployments Host to host example configuration Using self-signed or CA based certificates:
## installinstall localcertificate:localcertificate: ipsecipsec importimport MyName.example.com.p12MyName.example.com.p12 ## ConventionConvention used:used: leftleft meansmeans local,local, rightright meansmeans remoteremote ## /etc/ipsec.d/host-to-host.conf/etc/ipsec.d/host-to-host.conf ## bringbring upup manuallymanually using:using: ipsecipsec autoauto –up–up host-to-hosthost-to-host
connconn host-to-hosthost-to-host left=192.1.2.23left=192.1.2.23 [email protected][email protected] ## ourour certificatecertificate leftcert=MyName.example.comleftcert=MyName.example.com right=192.1.2.45right=192.1.2.45 [email protected][email protected] ## IDID mustmust bebe SubjectAltNameSubjectAltName onon certcert ## theirtheir certificatecertificate transmittedtransmitted viavia IKEIKE auto=ondemandauto=ondemand
15 IPsec for large scale deployments Net to Net example configuration Using self-signed or CA based certificates:
## installinstall localcertificate:localcertificate: ipsecipsec importimport MyName.example.com.p12MyName.example.com.p12 ## ConventionConvention used:used: leftleft meansmeans local,local, rightright meansmeans remoteremote ## /etc/ipsec.d/net-to-net.conf/etc/ipsec.d/net-to-net.conf ## bringbring upup manuallymanually using:using: ipsecipsec autoauto –up–up net-to-netnet-to-net
connconn net-to-netnet-to-net left=192.1.2.23left=192.1.2.23 leftsubnet=192.0.1.0/24leftsubnet=192.0.1.0/24 [email protected][email protected] ## ourour certificatecertificate leftcert=MyName.example.comleftcert=MyName.example.com right=192.1.2.45right=192.1.2.45 rightsubnets={192.0.2.0/24,rightsubnets={192.0.2.0/24, 192.168.0.0/16}192.168.0.0/16} [email protected][email protected] ## IDID mustmust bebe SubjectAltNameSubjectAltName onon certcert ## theirtheir certificatecertificate transmittedtransmitted viavia IKEIKE auto=ondemandauto=ondemand
16 IPsec for large scale deployments Remote Access Server configuration Using CA based certificates:
## /etc/ipsec.d/vpnserver.conf/etc/ipsec.d/vpnserver.conf
connconn vpnservervpnserver left=193.110.157.148left=193.110.157.148 leftcert=vpn.nohats.caleftcert=vpn.nohats.ca [email protected][email protected] ## forfor split-VPN,split-VPN, specifyspecify youryour server’sserver’s subnetsubnet insteadinstead ofof 0/00/0 leftsubnet=0.0.0.0/0leftsubnet=0.0.0.0/0 rightaddresspool=100.64.13.2-100.64.13.254rightaddresspool=100.64.13.2-100.64.13.254 right=%anyright=%any rightid=%fromcertrightid=%fromcert ## serverserver optionsoptions auto=addauto=add rekey=norekey=no modecfgdns=8.8.8.8modecfgdns=8.8.8.8 modecfgpull=yesmodecfgpull=yes dpddelay=9mdpddelay=9m dpdtimeout=30mdpdtimeout=30m dpdaction=cleardpdaction=clear mobike=yesmobike=yes ipsec-interface=yesipsec-interface=yes 17 IPsec for large scale deployments Remote Access Client configuration Using CA based certificates:
## ImportImport mymy PKCS#12PKCS#12 cert:cert: ipsecipsec importimport letoams.nohats.ca.p12letoams.nohats.ca.p12 ## /etc/ipsec.d/corporate.conf/etc/ipsec.d/corporate.conf
connconn corporate-vpncorporate-vpn left=%defaultrouteleft=%defaultroute leftcert=letoams.nohats.caleftcert=letoams.nohats.ca leftsubnet=0.0.0.0/0leftsubnet=0.0.0.0/0 leftmodecfgclient=yesleftmodecfgclient=yes right=vpn.nohats.caright=vpn.nohats.ca rightsubnet=0.0.0.0/0rightsubnet=0.0.0.0/0 [email protected][email protected] narrowing=yesnarrowing=yes rekey=yesrekey=yes mobike=yesmobike=yes
18 IPsec for large scale deployments Remote Access Client configuration Using CA based certificates:
$$ sudosudo ipsecipsec autoauto --up--up vpn.nohats.cavpn.nohats.ca 181181 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #1:#1: initiatinginitiating IKEv2IKEv2 IKEIKE SASA 181181 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #1:#1: STATE_PARENT_I1:STATE_PARENT_I1: sentsent v2I1,v2I1, expectedexpected v2R1v2R1 182182 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: STATE_PARENT_I2:STATE_PARENT_I2: sentsent v2I2,v2I2, expectedexpected v2R2v2R2 {auth=IKEv2{auth=IKEv2 cipher=AES_GCM_16_256cipher=AES_GCM_16_256 integ=n/ainteg=n/a prf=HMAC_SHA2_512prf=HMAC_SHA2_512 group=MODP2048}group=MODP2048} 002002 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: certificatecertificate verifiedverified OKOK [email protected],CN=vpn.nohats.ca,OU=Clients,[email protected],CN=vpn.nohats.ca,OU=Clients,O=No HatsHats Corporation,L=Ottawa,ST=Ontario,C=CACorporation,L=Ottawa,ST=Ontario,C=CA 002002 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: IKEv2IKEv2 modemode peerpeer IDID isis ID_FQDN:ID_FQDN: '@vpn.nohats.ca''@vpn.nohats.ca' 003003 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: AuthenticatedAuthenticated usingusing RSARSA withwith IKEv2_AUTH_HASH_SHA2_512IKEv2_AUTH_HASH_SHA2_512 002002 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: receivedreceived INTERNAL_IP4_ADDRESSINTERNAL_IP4_ADDRESS 100.64.13.3100.64.13.3 002002 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: receivedreceived INTERNAL_IP4_DNSINTERNAL_IP4_DNS 193.110.157.148193.110.157.148 005005 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: ReceivedReceived INTERNAL_DNS_DOMAIN:INTERNAL_DNS_DOMAIN: nohats.canohats.ca 002002 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: up-clientup-client output:output: updatingupdating resolvconfresolvconf 002002 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: negotiatednegotiated connectionconnection [100.64.13.3-100.64.13.3:0-65535[100.64.13.3-100.64.13.3:0-65535 0]0] ->-> [0.0.0.0-255.255.255.255:0-65535[0.0.0.0-255.255.255.255:0-65535 0]0] 004004 "vpn.nohats.ca"[1]"vpn.nohats.ca"[1] 193.110.157.148193.110.157.148 #2:#2: STATE_V2_IPSEC_I:STATE_V2_IPSEC_I: IPsecIPsec SASA establishedestablished tunneltunnel modemode {ESP/NAT=>0x0bb71fd2{ESP/NAT=>0x0bb71fd2 <0x899a9f05<0x899a9f05 xfrm=AES_GCM_16_256-NONExfrm=AES_GCM_16_256-NONE NATOA=noneNATOA=none NATD=193.110.157.148:4500NATD=193.110.157.148:4500 DPD=passive}DPD=passive}
19 IPsec for large scale deployments Remote Access Client NetworkManager plugin networkmanager-libreswan
20 IPsec for large scale deployments Remote Access Server Web interface Preview: github.com/Rishabh04-02/Libreswan-managing-interface
21 IPsec for large scale deployments Remote Access Server interface
• Setup a Certificate Agency CA) • Setup the VPN server (TLS and IPsec) • Generate client certificates (PKCS#12) for download • Generate iOS/OSX VPN profiles (1 click install) • Traffic Accounting of clients • Temporarily and permanently Revoke client certificates
22 IPsec for large scale deployments Enterprise wide (mesh) encryption
• Each node attempts on-demand (opportunistic) IPsec to each other node • A node policy can be REQUIRE, OPTIONAL, or NO encryption using IPsec • Nodes should be able to list policies based on IP ranges and/or ports • Exceptions should be allowed for specific nodes • Added a new node should not require any reconfiguration on existing nodes • Idle IPsec connections should be removed over time • Currently support X.509 and DNSSEC as PKI for authenticating nodes
• WARNING: Your network based firewalls and IDS are bypassed!
23 IPsec for large scale deployments Enterprise wide (mesh) encryption Group policy files in /etc/ipsec.d/policies/* list network CIDRs andports
/etc/ipsec.d/policies/clear/etc/ipsec.d/policies/clear -- OnlyOnly allowallow cleartextcleartext /etc/ipsec.d/policies/clear-or-private/etc/ipsec.d/policies/clear-or-private -- DefaultDefault clear,clear, allowallow IPsecIPsec /etc/ipsec.d/policies/private/etc/ipsec.d/policies/private -- RequireRequire IPsecIPsec /etc/ipsec.d/policies/private-or-clear/etc/ipsec.d/policies/private-or-clear -- IPsec,IPsec, fallbackfallback toto clearclear
## /etc/ipsec.d/policies/private-or-clear/etc/ipsec.d/policies/private-or-clear 193.110.157.0/24193.110.157.0/24 193.111.228.0/24193.111.228.0/24
## /etc/ipsec.d/policies/private/etc/ipsec.d/policies/private 10.0.0.0/810.0.0.0/8 192.168.0.0/16192.168.0.0/16
## /etc/ipsec.d/policies/clear/etc/ipsec.d/policies/clear 193.110.157.0/24:22193.110.157.0/24:22 ## sshssh 193.110.157.0/24:443193.110.157.0/24:443 ## httpshttps
24 IPsec for large scale deployments Enterprise wide (mesh) encryption Policy files are implemented using “regular” connection definitions
## installinstall localcertificate:localcertificate: ipsecipsec importimport node1.example.com.p12node1.example.com.p12 ## /etc/ipsec.d/private.conf/etc/ipsec.d/private.conf
connconn privateprivate left=%defaultrouteleft=%defaultroute leftid=%fromcertleftid=%fromcert ## ourour certificatecertificate leftcert=node1.example.comleftcert=node1.example.com right=%opportunisticgroupright=%opportunisticgroup rightid=%fromcertrightid=%fromcert failureshunt=dropfailureshunt=drop negotiationshunt=holdnegotiationshunt=hold auto=ondemandauto=ondemand
25 IPsec for large scale deployments Enterprise wide (mesh) encryption Configuration for IPsec with fallback to cleartext
## installinstall localcertificate:localcertificate: ipsecipsec importimport node1.example.com.p12node1.example.com.p12 ## /etc/ipsec.d/private-or-clear.conf/etc/ipsec.d/private-or-clear.conf
connconn private-or-clearprivate-or-clear left=%defaultrouteleft=%defaultroute leftid=%fromcertleftid=%fromcert ## ourour certificatecertificate leftcert=node1.example.comleftcert=node1.example.com right=%opportunisticgroupright=%opportunisticgroup rightid=%fromcertrightid=%fromcert failureshunt=passthroughfailureshunt=passthrough negotiationshunt=passthroughnegotiationshunt=passthrough ## toto notnot leakleak cleartextcleartext duringduring IKEIKE negotiation:negotiation: ## negotiationshunt=holdnegotiationshunt=hold auto=ondemandauto=ondemand
26 IPsec for large scale deployments Enterprise wide (mesh) encryption Configuration for preferring plaintext but accepting IPsec if requested
## installinstall localcertificate:localcertificate: ipsecipsec importimport node1.example.com.p12node1.example.com.p12 ## /etc/ipsec.d/clear-or-private.conf/etc/ipsec.d/clear-or-private.conf
connconn clear-or-privateclear-or-private left=%defaultrouteleft=%defaultroute leftid=%fromcertleftid=%fromcert ## ourour certificatecertificate leftcert=node1.example.comleftcert=node1.example.com right=%opportunisticgroupright=%opportunisticgroup rightid=%fromcertrightid=%fromcert failureshunt=passthroughfailureshunt=passthrough negotiationshunt=passthroughnegotiationshunt=passthrough ## toto notnot leakleak cleartextcleartext duringduring IKEIKE negotiation:negotiation: ## negotiationshunt=holdnegotiationshunt=hold ## don’tdon’t initiate,initiate, butbut allowallow respondingresponding auto=addauto=add
27 IPsec for large scale deployments Recap: Enterprise wide (mesh) encryption
• Create policy connections in /etc/ipsec.d/*.conf for IPsec policy groups • Place IP address/port ranges in /etc/ipsec.d/policues/* • Import host PKCS#12 certificate into libreswan • Start the IPsec service • Profit!
• Check encryption ● ipsec trafficstatus ● ipsec status ● ipsec shuntstatus (for remote peers we tried and failed IPsec to)
28 IPsec for large scale deployments Internet wide mesh encryption using LetsEncrypt (Requires libreswan 3.30, uses NAT-within-IPsec)
## setupsetup onon laptoplaptop ## (host(host initiatedinitiated asas anonymous,anonymous, authenticatesauthenticates remoteremote server)server) $$ sudosudo ipsecipsec letsencryptletsencrypt --client--client ## echoecho “193.110.157.131/32”“193.110.157.131/32” >>>> /etc/ipsec.d/policies/private-or-clear/etc/ipsec.d/policies/private-or-clear ## echoecho “0.0.0.0/0”“0.0.0.0/0” >>>> /etc/ipsec.d/policies/private-or-clear/etc/ipsec.d/policies/private-or-clear
## SetupSetup onon server:server: ## (host(host authenticatesauthenticates itselfitself viavia FQDNFQDN (eg(eg letsencrypt.nohats.ca)letsencrypt.nohats.ca) $$ sudosudo ipsecipsec letsencryptletsencrypt --server--server ## (create(create aa letsencryptletsencrypt certificatecertificate forfor IPsec)IPsec) $$ sudosudo ipsecipsec letsencryptletsencrypt --generate-certificate--generate-certificate my.example.commy.example.com
29 IPsec for large scale deployments LETSENCRYPT CLIENT FOR IPSEC Anonymous client to authenticated server
$$ pingping letsencrypt.libreswan.orgletsencrypt.libreswan.org PINGPING letsencrypt.libreswan.orgletsencrypt.libreswan.org (193.110.157.131)(193.110.157.131) 56(84)56(84) bytesbytes ofof data.data. 6464 bytesbytes fromfrom letsencrypt.libreswan.orgletsencrypt.libreswan.org (193.110.157.131):(193.110.157.131): icmp_seq=2icmp_seq=2 ttl=64ttl=64 time=96.2time=96.2 msms 6464 bytesbytes fromfrom letsencrypt.libreswan.orgletsencrypt.libreswan.org (193.110.157.131):(193.110.157.131): icmp_seq=3icmp_seq=3 ttl=64ttl=64 time=96.7time=96.7 msms
ipsecipsec whackwhack --trafficstatus--trafficstatus 006006 #2:#2: "private-or-clear#193.110.157.131/32"[1]"private-or-clear#193.110.157.131/32"[1] 100.64.0.2/32===100.64.0.2/32=== ...193.110.157.131,...193.110.157.131, type=ESP,type=ESP, add_time=1471926595,add_time=1471926595, inBytes=252,inBytes=252, outBytes=252,outBytes=252, id='CN=letsencrypt.libreswan.org',id='CN=letsencrypt.libreswan.org', lease=100.64.0.2/32lease=100.64.0.2/32
30 IPsec for large scale deployments DRAFT-ANTONY-IPSECME-OPPO-NAT Eliminating the IP address conflicts caused by NAT 193.110.15.131193.110.15.131 RemoteRemote OpportunisticOpportunistic IPsecIPsec serverserver 192.168.2.45192.168.2.45 OpportunisticOpportunistic ClientClient pre-NATpre-NAT IPIP addressaddress 100.64.0.2100.64.0.2 IPIP addressaddress fromfrom IPsecIPsec serverserver addressaddress poolpool ## ipip xfrmxfrm polpol srcsrc 100.64.0.2/32100.64.0.2/32 dstdst 193.110.157.131/32193.110.157.131/32 dirdir outout prioritypriority 20802080 ptypeptype mainmain tmpltmpl srcsrc 192.1.2.45192.1.2.45 dstdst 193.110.157.131193.110.157.131 protoproto espesp reqidreqid 1638916389 modemode tunneltunnel srcsrc 193.110.157.131/32193.110.157.131/32 dstdst 100.64.0.2/32100.64.0.2/32 dirdir fwdfwd prioritypriority 20802080 ptypeptype mainmain tmpltmpl srcsrc 193.110.157.131193.110.157.131 dstdst 192.1.2.45192.1.2.45 protoproto espesp reqidreqid 1638916389 modemode tunneltunnel srcsrc 193.110.157.131/32193.110.157.131/32 dstdst 100.64.0.2/32100.64.0.2/32 dirdir inin prioritypriority 20802080 ptypeptype mainmain tmpltmpl srcsrc 193.110.157.131193.110.157.131 dstdst 192.1.2.45192.1.2.45 protoproto espesp reqidreqid 1638916389 modemode tunneltunnel srcsrc 192.168.2.45/32192.168.2.45/32 dstdst 193.110.157.131/32193.110.157.131/32 dirdir outout prioritypriority 20802080 ptypeptype mainmain tmpltmpl srcsrc 192.1.2.45192.1.2.45 dstdst 193.110.157.131193.110.157.131 protoproto espesp reqidreqid 1638916389 modemode tunneltunnel
31 IPsec for large scale deployments DRAFT-ANTONY-IPSECME-OPPO-NAT Eliminating the IP address conflicts caused by NAT
193.110.15.131193.110.15.131 RemoteRemote OpportunisticOpportunistic IPsecIPsec serverserver 192.168.2.45192.168.2.45 OpportunisticOpportunistic ClientClient pre-NATpre-NAT IPIP addressaddress 100.64.0.1100.64.0.1 ClientClient IPIP addressaddress assignedassigned yy OpportunisticOpportunistic IpsecIpsec serverserver
## iptablesiptables -t-t natnat -L-L -n-n
ChainChain PREROUTINGPREROUTING (policy(policy ACCEPT)ACCEPT) targettarget protprot optopt sourcesource destinationdestination DNATDNAT allall ---- 193.110.157.131193.110.157.131 100.64.0.1100.64.0.1 \\ policypolicy matchmatch dirdir inin polpol ipsecipsec to:192.168.2.45to:192.168.2.45
ChainChain POSTROUTINGPOSTROUTING (policy(policy ACCEPT)ACCEPT) targettarget protprot optopt sourcesource destinationdestination SNATSNAT allall ---- 0.0.0.0/00.0.0.0/0 193.110.157.131193.110.157.131 \\ policypolicy matchmatch dirdir outout polpol ipsecipsec to:100.64.0.1to:100.64.0.1
Basically:Basically: NATNAT withinwithin thethe IPsecIPsec subsystemsubsystem
32 IPsec for large scale deployments QUESTIONS & ANSWERS
33 IPsec for large scale deployments